Shedun (GhostPush), Kemoge (ShiftyBug) and Shuanet are Android adware families that root infected devices in order to prevent their removal and give attackers unrestricted access. Lookout reported earlier this month that the threats, which the company calls trojanized adware because they are designed not only to serve ads but also to install third-party apps, had been found in more than 20,000 popular Android applications.

Further analysis of Shedun revealed that the adware can automatically install third-party apps without the user’s consent. Once it infects a device and gains root access, the threat attempts to convince victims to enable accessibility features because they are allegedly needed by a utility to “help stop inactive apps.” To increase the chances of tricking the user, the message also points out that a “standard privacy risk reminder” will be displayed, but encourages the victim to “feel at ease about turning it on.”

Once the accessibility service is enabled, Shedun displays a pop-up ad for an application. Even if the victim closes the pop-up, the application is downloaded. By leveraging its permission to use the accessibility service, Shedun can read the text on the screen to determine if it’s an app installation dialog, scroll through the permissions list, and press the install button without any interaction from the user.

It’s worth noting that the adware doesn’t exploit any vulnerabilities to complete this task and instead relies on legitimate functionality.

“Shedun likely uses this technique in order to increase its revenue by guaranteeing the installation and execution of advertised applications. After all, marketing companies pay more money for advertising campaigns where the user actually interacts with the application after downloading it instead of simply downloading and forgetting about it,” Lookout explained in a blog post.

“In this case, Shedun takes that choice away, leaving the user angry at the advertised app that they have been forced to experience, while simultaneously taking the money from ad agencies, despite having violated their policies. This class of malware is evolving quickly and we believe we’ll see more sophisticated families surfacing in the future,” the security firm added.

Shedun is not the first Android threat to abuse the operating system’s accessibility features. Earlier this year, Lookout reported spotting a piece of data-stealing malware, AndroRATIntern, that abused the text-to-speech accessibility feature in Android to capture messages from LINE, a popular Japanese communications app.

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.